Simon Hodgkinson [00:00:00]:
whatever company you’re applying for, make sure they’re clear about your position and your red lines, how you work. So it’s not a one-way interview process. You’re interviewing them as well. You know, you want to make sure you work for the right organization, that they’re going to allow you to do the things that are important to you. That takes a fair bit of maturity to do, but actually, if they respond well to that, you’re probably working for a decent organization.
Karissa Breen [00:00:43]:
Joining me back on the show is Simon Hodgkinson, strategic advisor at Semperis, and today we’re discussing the burnout crisis in the cybersecurity community. So Simon, welcome back.
Simon Hodgkinson [00:00:53]:
Thanks, KB, it’s always a pleasure. I’m looking forward to the conversation.
Karissa Breen [00:00:57]:
So this is an interesting one, and I’ve definitely spoken about burnout on the show before, but not in the lens of you personally going through it. I’ve spoken about vendors having reports or people touching it at a high level, but I think it was really important to get you on to talk through it, to hear your side and walk through some of the things that you’ve been through and what that actually means for people out there in the community. So for people who don’t know, you were formerly the global CISO at BP, and I really just want to start there. Like, just tell us more about your experience and when was that moment that you believe like, ooh, I think I’m starting to get pre-burnout and burnout.
Simon Hodgkinson [00:01:37]:
So yeah, global CISO at BP, just to give you a sense of scale, that was 80 different countries. It was sort of 600 offices around the globe, around 75,000 staff and tens of thousands of contractors and a load of industrial assets as well. So, you know, all of the operations technology that ran the rigs, refineries. Ships, yeah, pipelines. So, so a fairly, fairly broad array of, of coverage and also enormous amount of topics. So as global CISO, you know, just to give you a sense of what that included, it included everything from, you know, the strategy, the architecture through governance, risk and compliance. So, you know, accountable for making sure that we were compliant from an IT controls perspective across the globe. It went into business information security, so making sure that we had embedded capability in all of the businesses.
Simon Hodgkinson [00:02:31]:
And we were a very federated business with tens and tens of different business units spread across the globe, as you might well, uh, imagine. It was the OT security side, so, you know, looking after all of those critical assets and making sure that we kept them running, but in a secure way. Also things like identity and access management. So, so yeah, it was a very sort of broad church of topics. And that included every day included something from writing a board report, you know, writing a report that went to the finance and risk committee through to actually the literally the billions of events that hit the security operations center every day of the week and triaging that down to the most high-profile, most critical incidents that we actually needed to respond to. The other thing I think just, I, I missed it out, but really importantly is also behavioral awareness and making sure we have behavioral change across all of those staff in our company, which included an incredibly diverse population from a geographical perspective and also culturally as well. So, you know, just to give you a sense— I hope that gives you a sense of scale. And that was sort of the driver for a lot of the pressure because every day you walked into the office, there was something new.
Simon Hodgkinson [00:03:52]:
The one thing I want to say before we get into the meat of the topic is I had tremendous support from BP as well. So from Bob Bob Dudley and Brian Gilvary and the board at BP to do the right thing around cybersecurity. So, you know, everything, all of the pressure that was on me, I was one of the lucky CISOs in the fact that, you know, I did have the support from the top and they were incredibly helpful in making sure that the business realized that cyber was important. So I think when you ask the question, when did I realize, I think I, I didn’t realize for a long time. I think people were telling me, You know, I used to work ridiculous hours. I was, I was in the office at 6 in the morning. I was typically leaving 6 to 7 at night. I’d often get a call from Houston.
Simon Hodgkinson [00:04:39]:
So Houston, we have a problem in the evenings. And I had a brilliant team, but it was just more about me. Uh, and it was more my desire to make sure I knew everything that was going on. And interestingly enough, that having spent some time with corporate psychologists, that came from a background of, you know, failing in different things previously that led to that. Need for assurance that everything was going right.
Karissa Breen [00:05:03]:
So when you said failure at things previously, do you mean just generally, or do you mean like another role, something had happened and then you felt this need of responsibility to succeed?
Simon Hodgkinson [00:05:15]:
Yeah, absolutely. Um, so, you know, I go back to— I mean, when you sit with a corporate psychologist, they go back to your— and give you a sense of why, as you went up through the organization in terms of seniority with BP, they would make sure they again, a brilliant company. They would make sure that you had time with a corporate psychologist to make sure that you could deal at the level you were going to operate at and with some of the stresses that were there. So it was a great company in making sure that they didn’t overpromote somebody into an area where they couldn’t cope. So the whole point of the corporate psychologist, and I, I did it 2 or 3 times in my career, was all about caring for people and making sure that people were looked after. So it was a good thing and it was a real privilege to spend time But they took you back to literally, you know, take you back to your childhood, tell me about your childhood. And as I was coming up through schools, I had a, a massive wake-up call when I frankly messed up my A-levels in the early ’80s. And then through different points through my career, you know, managed to have some amazing job opportunities in my, um, career.
Simon Hodgkinson [00:06:23]:
But, you know, inevitably you had things that failed. So a big program in the sort of mid-2000s, lots of money, lots of people that frankly, you you know, we had to write off and it was unsuccessful. Me particularly, but actually, you know, I should have recognized earlier in that cycle that the program wasn’t going to be successful and shut it down earlier. It was bleeding edge technology and the business weren’t really committed to it. So, so you learn through that. Yeah, you get to learn about things you’re good at and things you’re not. And I had a 360-degree feedback session with my direct reports and peers, etc.. And I thought I was quite an empowering manager until I got the 360-degree feedback from my, from the people who work from me.
Simon Hodgkinson [00:07:11]:
And basically, you know, it was, they really liked working for me and a lot of positive messages. But the one message that stood out was actually, Simon, you always ask for more data to make sure, you know, to assure yourself that things are on track. And so there was that sort of, that early failure in my career led me to be somebody who just wanted to make sure everything was gonna be successful. Basketball, and therefore I just worked so hard.
Karissa Breen [00:07:37]:
I can relate to some of those things that you’re saying as well, but I think the problem that you’re— we’re going to get into this a bit more— at the detriment of your life and your well-being and all those sort of things. But before we move on to that, you said something before that the corporate psychologists sort of understood and assessed whether you could deal at the level you’re going to be operating at, which was a senior global role. You’re always on, time zones, all of the things. How do they sort of assess like, yes, Simon can deal or not deal? I know it’s not so binary where it’s like yes or no, but what are some of the sort of tell signs would you say?
Simon Hodgkinson [00:08:13]:
First of all, you’ve got to be able to, you know, as a technologist, and I came through from— my career has always been deeply technical. As you go up through the organization, you have to be able to deal with business leadership. You have to be able to translate, you know, technology into business language. You have to operate with the highest people in the company. You know, um, BP was a huge organization. You were in front board, you’re— I’ve spent a lot of time with the executive team and spent a lot of time with different committee structures. So, you know, can you flex that natural muscle to be able to cope with those different demands, which in their own right, although they might not be sort of real-time incidents that you’re responding to, it can be equally stressful in terms of, you know, you want to do the very best job to, to get the outcomes you want. So they’re sort of assessing you on your ability to step up to a different level of stepping stakeholders.
Simon Hodgkinson [00:09:10]:
Um, and they also, you know, they also interview people around you before those sessions to get feedback on, you know, how do you respond. What you don’t want in a crisis is somebody who runs around with their hair on fire, for instance. You need somebody who’s calm, but equally somebody who’s able to make some pretty tough decisions in the heat of the moment and accept the ramifications that might come from that. And so they— those are the sort of things, and I mean, there’s lots more, but those are the sort of things that they’re assessing through a series of interviews with people that work for or around you, but also with the interviews, you spend a lot of time with them. They take you through different psychometric tests, et cetera. So yeah, it’s a very thorough process.
Karissa Breen [00:09:53]:
And would you say, given your tenure in the space, perhaps there are people out there that really want the title of a CISO, Global CISO, VP, all of the things, they want the salary, they want The benefits they want, I’m flying around, I’m doing all the, all the stuff, all the hoo-ha. But would you say that perhaps the responsibility is like, well, now that I’ve got the title and all the extras, I gotta do the responsibility. Do you think that sometimes people push more to get the title and the status over the responsibility? It was just more of a curious question. And I know people predominantly in cybersecurity are driven by the mission, but I’ve just started to hear in the market over the years of people saying, oh, that person got the job, but like, I think they just really wanted it for the title.
Simon Hodgkinson [00:10:37]:
Yeah, I think this, um, I think, I think people are becoming more aware of just how such a tough job now at an executive level. Uh, I think there’s an element of, uh, that sort of small to medium, you can get the title of CISO, but you know, you don’t really have the relationships and the scale and the scope that you do at an enterprise level. So I’m sure there’s some of that and people see actually getting the title as a mechanism to stepping up through through different organizations. I mean, you call out— see, it’s actually the 10 years seem to be a little bit longer, certainly in the UK at the moment, but it was a 12 to 18, well, probably even less than that, 11 to 18 months sort of tenure at one point being a CISO as, as people got the title and moved on to bigger organizations and more salary. But I do think, I think that the industry is becoming more aware of the downsides of the role and the downsides of the role, you know, obviously are the scope, the scale, the profile. And inevitably, um, the proverbial will hit the fan fairly regularly. Not hopefully for most organizations, it won’t be sort of the existential threat issue, although lots of organizations go through some horrible events. But every day you’re dealing with something and sort of, you know, back to you, you made the point about you never switch off.
Simon Hodgkinson [00:11:54]:
And I think there is an element of how you’re wired personally. But for me, you know, that was my problem is I could, I could never switch off. So I think, yeah, Yes, I think to answer the question, I think there are some, but I do think, you know, the cyber community generally is very mission-oriented and people who want to do the very best job they can by the companies they work for.
Karissa Breen [00:12:15]:
Talking about switching off, do you switch off, Neil?
Simon Hodgkinson [00:12:18]:
Oh, absolutely. In 2019, I’d been doing the job for 2 and a half years. And prior to CISO, I ran global infrastructure and operations for 3 years. So that was everything from data centers, networks, end-user compute, field services, again, across the the same, same scale of organization and geographies and what have you. So, so, you know, you add that, that’s, that was 7, broadly 7 years doing that sort of 24 by 7 job. And, you know, cyber is an issue, but actually any prolonged loss of technology is incredibly stressful. I remember an event where we lost our email system for days and the business stops, right? I mean, it’s really, I mean, email was so important to the way we communicated, tè, that was like 12 years ago or whatever. But the reality is the pressure was similar in, in, in that role, but the profile wasn’t quite the same.
Simon Hodgkinson [00:13:10]:
So you didn’t have the board reporting and all of that sort of stuff. But 2019, I sadly lost my eldest brother. He was in Abu Dhabi and he died of a pulmonary embolism. And my brother had, um, gone to, you know, for the last couple of years of his career to the Middle East and never made it back again. You know, he was working his socks off over there, different profession.. But, you know, again, he was working all the hours God sends. And that was a real wake-up call for me. And I’d previously lost my other brother.
Simon Hodgkinson [00:13:39]:
So I was then— I haven’t been one of three, I was one of one at that point. And it was a really big wake-up call. It’s like, have you really got your balance right in life? And I deeply regret prioritizing work over, you know, frankly, a lot of family time as well. And, you know, so, but now I’m in the position where I am, I’ve really recognized that through the event, you know, what my brother went through and talking to his, his wife, et cetera. And also, you know what, when you reflect through that process, your own situation, you look at yourself and think, well, I just lost the plot. I absolutely lost the plot on what’s important. And as I said, I deeply regret it, but now I absolutely recognize that. So, you know, not a day goes by without going out for a long walk, doing a bit of exercise, making sure in my diary, you know, there are breaks that I can do something different other than just work, you know, spend time with the, the family, make sure my, both my kids have moved away, make sure I reach out to them regularly to check in on how they are, stay connected with my friends.
Simon Hodgkinson [00:14:47]:
So I spend, you know, more time going at, going out and chatting with my friends or my next door neighbors. So anything just to, to step away from work. Now I’m in the luxury, luxurious position now of being in sort of career 2.0 and a plural career with that same pressure. That doesn’t exist. But I do speak to lots, lots and lots of CISOs in a, not in a formal mentoring sense, but just giving them the feedback that just don’t be me. Please don’t be me. It isn’t worth it. You know, you’ve got to make sure you look after your family, look after your physical and your mental health.
Simon Hodgkinson [00:15:23]:
I’m a great believer in you can’t separate those two things. And, a pleasure of meeting Rachel Vickery., last year and hadn’t even ever talked about physiological impacts of things like cyber. We’d only ever talked about psychology. And actually, I think that physiolog— physiological piece is really key as well. And that to me is about keeping that balance between your, your physical and your mental state.
Karissa Breen [00:15:51]:
Well, firstly, I’m really sad to hear about your brother and then your other brother. That’s a lot, and I’m glad that you recognized it though. So would you say that when your brother in Dubai sadly passed away, that really was the time when you’re like, hang on, there’s got to be more going on than just what I’m doing
Simon Hodgkinson [00:16:11]:
day in, day out? Oh, absolutely. And again, I will stress that I was so lucky to work for BP. The support structure they put around me at that point, and, you know, anything from helping me with kind of getting the repatriation of the body back through to, you know, making sure that I had space at work. I couldn’t speak more highly of the leadership of BP around that care at a very personal level. And we obviously had people in the region and there were some amazing people that just reached out to, to help and navigate a different culture. So, so I was incredibly lucky to work for that sort of organization. Many don’t when they go through those lifestyle or life issues. And so it just becomes another stressor on top of the work stress without any kind of release valve.
Simon Hodgkinson [00:17:02]:
But I recognized then very much that I needed to change. And, you know, BP had a change of leadership in early 2020. There was a massive reorganization of the, um, tier 1 and tier 2 structure. So the leadership team and the next level down, I fought very hard to get the CISO role elevated to tier 2. So it was no longer under the CIO. Albeit I, you know, I had a great relationship with the CIO when I was working there and who was again, was very supportive. But we managed to get the role elevated and then obviously I, you know, and they offered me the role and I, I said then this, you know, I’ve been doing the role 4 years. I had all this stuff in my personal life that had gone on and I asked BP if then we could look for my successor and they agreed and, you know, I spent spent 2020 making sure we had the right successor in place.
Simon Hodgkinson [00:17:58]:
In fact, I had already hired her and she was in my organization, making sure she was ready to take over. And I left at the end of 2020. What was really interesting in that period though, I was starting to slow down a little bit and it was the middle of COVID if you recall. I went out for a run one day and I thought, wow, I feel really tired and I’m, I’m relatively fit. And I came back and said to my wife at the time, you know, I’m didn’t feel great, probably COVID, but tested, no COVID. Next day I jumped on the bike, same thing, I was fine just walking or just pedaling gently, but if I tried to do anything— anyway, long story short, she said, you better phone the, uh, the doctor. So I called the doctor feeling really guilty through COVID, of course, and he sent me for a blood test and they identified I had pulmonary embolism, just exactly the thing that killed my brother, and that was the kind of real, actually, yeah, if I hadn’t changed my lookout on life, I would never have called that doctor because I would have been 100% bang in, focused on work. And then it was like, yeah, I’m doing the right thing.
Simon Hodgkinson [00:19:07]:
Yeah, I’m absolutely doing the right thing stepping back.
Karissa Breen [00:19:09]:
So when you had time and you went for the run, you obviously started to tune in a bit more around, oh, definitely feeling a bit more tired than I normally would. And that was sort of, was the impetus to, for your wife to say, call the, the doctor and then do further investigation. But would you say if you’re operating
Simon Hodgkinson [00:19:27]:
at the level before, you would have just ignored it? I would have ignored it. I absolutely would have, because work was the most important thing. There was no doubt in my mind that I had not made that break, I would have just knuckled down, carried on. Didn’t feel bad. It just, I would just wrote it off as, yeah, no, nothing to worry about. I’ll get better in a couple of weeks, but I probably wouldn’t have had a couple of weeks. It probably would have killed me before then. It’s terrible.
Simon Hodgkinson [00:19:54]:
That’s life, I’m afraid. That’s the reality. Now, I am— what I will say again, you know, I had an amazing support structure in BP. That was about me, you know, and it was my— I just got so wrapped up in the job. It was so full-on if you let it be. There are some people that are able to, to compartmentalize things and they don’t have the same issue. But, you know, when you’ve got somebody like me who’d even been through all of that sort of testing regime, that was just in me. I needed to be over everything.
Simon Hodgkinson [00:20:24]:
I needed to know everything. I needed to know everything was on track. I loved it. And I don’t think I was a particularly egotistical person, KB, but I actually think when you pull back the covers and you say why, then I probably was. I probably liked the profile and the fact that, you know, the, the job was very high profile internally in the company as well as externally as well. So, so I think for somebody I, like I said, didn’t think I had a big ego. I probably did, just didn’t recognize it.
Karissa Breen [00:20:54]:
And you said before, I think I lost the plot.
Simon Hodgkinson [00:20:58]:
Describe losing the plot in your words. My poor wife at the time, you know, I would come home from work and she would want to talk to me and I would be sitting there and, and nodding my head, but I’d been talking to people for 12 hours by that point and my head was on, on work all of the time. You know, invariably she said she would be saying something and then turn around and say, you didn’t hear me, did you? And it’s like, ah, you know, I’m just so tired. Can I just need a bit of peace, quiet and what have you. So I wasn’t, I wasn’t there for my wife and I deeply regret that, right? I mean, it’s like that’s losing the plot. My son at one point, not in a hurtful way, it wasn’t meant to be hurtful. He’d come back from university and I think we used to have a policy not bringing the phones to the table when you’re having dinner. I can’t remember the exact quote, but it was something along the lines of, you’re physically here, but you’re not mentally a lot of the time.
Simon Hodgkinson [00:21:56]:
And, you know, what he meant was, you know, I’d sit at the table a bit like, you know, like, like the experience with my wife, but my kids would be talking to me. And, you know, again, it would be, my mind wasn’t 100% focused on my kids. My, my mind was a percentage of my mind was always in work. Always in work. And again, I deeply regret that. I love my kids to death, you know, and you look back on it and you think, I should have been there for them, more present there. I was there physically, but should have been up, albeit I did travel a lot as well. But when I was physically there, I wasn’t mentally fully, fully there for them.
Simon Hodgkinson [00:22:31]:
And I left that burden to my wife, which is just wrong, right? That’s, that for me is losing the plot.
Karissa Breen [00:22:38]:
One of the things that I’ve often heard for men in your sort of position— and growing up, I mean, my dad worked away a lot, so I’m quite familiar with how that feels— would be, yeah, and I get that my wife’s at home, but I’m like, there’s more— like, obviously, traditionally speaking, men— and maybe even, you know, back then, or even, even younger than that— would be, they were more the breadwinners and they would go out. So it’s like, okay, but I’m still helping my kids. Like, a lot of men that I speak to which is a lot, rationalize it with, yes, but I’m helping my kids because I can, I’ve got the job, I’ve got the salary to put them through the college, to do the things, to pay for their weddings.
Simon Hodgkinson [00:23:17]:
Where does that statement sit with you? In some respects, I was thinking I was doing the right thing, but you know, that’s not what my kids wanted. That’s not what my wife wanted. They wanted you there both physically and mentally. And you know, money can’t replace that, right? And you can’t go back. And the thing I say to, to those I talk to on a personal level about this is, it’s something you can never get back. All right, money can’t buy that time back. Those experiences are gone. You know, and yes, you know, you might be able to afford a, a better holiday, but my guess is if you sit down with your kids or your wife and you really talk about what’s important, what’s really important is being there as a dad to support both.
Simon Hodgkinson [00:24:02]:
And I do recognize and I hear people say that, that, and there’s an element of obviously it has benefited, benefited the family from a financial perspective, but that, that is nowhere close to the time that you’ve lost with your children and being there for them all of the time and being present for them all the time when you’re there. You know, that again is life, work means you will be away and when you’re at work throwing yourself in 100%, absolutely right, exactly what you should do and you should commit to it when you’re at home, make sure you spend time and focus on your, your family.
Karissa Breen [00:24:37]:
So one of the things I’m curious to know now is people— you said before you had to backfill, the successor came in. So did that lady inherit some of your problems? Was it just a personal thing? And I ask this because to do these sort of roles, sometimes it really is required from somewhere. You can’t change time zones, like if it’s in all over the world. You do unfortunately have to be on, and I’m just trying to see how do people get to the point where they can manage and not have this to regret and feel like they’re losing the plot also whilst maintaining that level of, hey, I’m doing this job, I’m being paid to do this job. How do you find that balance? And I know that’s a really hard question to ask, but like someone at the end of the day does need to do the job, or is it just when you’re in the job, but we— and we’ve seen it, you said it before, there’s it’s, it’s like clockwork. Someone’s in, then they’re out. How do we address that problem? Because unfortunately, it’s one of those sort of jobs you don’t know what’s going to hit you that day, what’s going to come up. It’s not like you choose to spend your Saturday dealing with an incident.
Karissa Breen [00:25:45]:
But I think this is a really big question because we do need these people in these roles. But is it at the detriment of not spending time with their family and potentially eroding their health, or I’m just curious to understand from your perspective, Simon, given what you’ve shared with me already today.
Simon Hodgkinson [00:26:02]:
I think there’s a lot in who you are. So I think there are people that are better able to compartmentalize those two, you know, your work and your life. I think it’s about recognizing the quality of your team as well. I had a great team, and I, as I said, I mean, shared that the fact I had a 360 and people said I wasn’t particularly empowering because I was always seeking assurance. I could have done a lot more to say, actually I’m not here. You know, I had people in Houston, I had people around the globe who were more than capable of stepping in, but it was a— it was something in me that wanted to be part of all of that, wanted to know everything that was going on. So it’s a lot, I think, a lot about how you’re wired personally. That said, I was working in a, an enterprise with terrific support at BP from the executive down, so had good level of resourcing, right tools, right people, et cetera.
Simon Hodgkinson [00:26:58]:
I speak to lots of CISOs in the market that don’t have that. So then it comes down to, actually it’s down to you and whether you’re prepared to make that stand and say, no, I’ve gone home now. And I’m going to let my SOC manage this overnight and only call me if it’s, if it’s really gone pear-shaped or, you know, if I not get involved in projects, I’m going to compartmentalize my time and focus more on the strategic element. Of things like governance, risk and compliance, all of the board stuff. But I was over all of it and that was just a lot about me. So I think, I think CISOs need to really, really focus on, you know, get focused on what do they really need to get involved in? What are their top priorities? How do they compartmentalize that time? And also some people should consider whether you’ve said about people coming into the role, there’s also a question of timing, right? Where are you in your life cycle? Cool. If I went back now and, you know, no, my kids were older when I, I moved into those roles, but my kids were really young and somebody offered me that role, then knowing what I do now, I would turn it down just because I would want to be there. There’s a lot of regret in this, of course.
Simon Hodgkinson [00:28:13]:
I would have wanted to be there a lot more for my, uh, my family.
Karissa Breen [00:28:18]:
So do you believe there is a
Simon Hodgkinson [00:28:21]:
burnout crisis happening in the cybersecurity industry today? Yes. My litmus test for that is how many people talk to me about, this is the last job I’m doing, I want to go into the plural career. And assuming that’s an easier way because of the stresses and the strains of the role. So, so that, that would be my litmus test. Now I, I talk to a lot of CISOs at kind of enterprise level and tend to be more of my sort of age and therefore they are naturally coming to sort of at that pivot point in their career. Career, but an awful lot of them are just like, the stress and the overheads are just so enormous that I
Karissa Breen [00:28:57]:
want to do something different. So do you believe that there’s going to be a deficit of people? Because I mean, depends on who you ask. I’ve heard over the years like, oh, we don’t have enough people. But then people might listen to this and go, you know what, what Simon said, I’m absolutely never doing senior role like that because I don’t want to lose my family and my health and all these things that you discussed with me today, which I appreciate. Where does that leave the industry then? As I mentioned, like, someone does have to do the role. So does that mean that we’re going to have people that are perhaps not ready to do that role, but then there’s no one else because people are like, well, actually, it sounds stressful and I’m not— I don’t want to do
Simon Hodgkinson [00:29:32]:
it, or where does that, where does that land? I think you’re always going to have enough people who put their hands up to do the role at different stages in their life. The big thing, the big question is, are they ready for it? Because it’s not, you know, it’s not like— if you look at my career, was always through a technical technical background, you know, I worked for commercial software companies, went in and worked in investment banking at Lehman Brothers, did a dot-com, joined BP, all in technical roles, and then grew into a role that frankly is one of the most important business leadership roles there are going. Now, I was lucky again, I worked in a company that gave me all the right support and coaching and mentoring to, to make that level. I think you’ve got a lot of people see it as, you know, this ability to, you know, make more money, get a high profile, maybe move to the next job, next company, etc. The question is, are they doing it for the right reasons and are they aware of the stresses and the strains? I’m not sure necessarily everybody is. I think, you know, hopefully people will listen to this podcast and not to stop people doing the role, but to actually give them the ability to think about what are their red lines? What are they going to put in place and say, actually, yes, I’d love to take your role, whichever company they’re applying for, but here’s a lot about me. I’ve got a young family. I’m going to make sure that my Saturdays and Sundays, unless there’s a major incident, I ain’t going to work them.
Simon Hodgkinson [00:30:58]:
I’m going to make sure I spend time with my families. You know, I need to be home at 6 o’clock in the evening because that’s when the family has their dinner and I want to spend time with my kids. And being a bit more sort of declarative over what your own red lines are as you move into what is a very high profile, getting more high profile, especially with things like AI coming in and, and CISOs inevitably picking up the, uh, rush to AI problems, which there are many, and will cause a lot more incidents. But I think actually people, if they think— listen to this and take one thing away, is, is be clear about what your red lines are and make
Karissa Breen [00:31:36]:
sure you implement them. Do you think looking back you were ever fixated on things that perhaps It’s not like it didn’t matter, but maybe weren’t as important, perhaps. For example, I’ve worked with— I mean, I haven’t worked for someone for a long time, but I have worked with previous bosses that were really fixated on how policy was written. And I get that’s important, but sometimes it’s like a little bit too much OCD going on in there, and they’re sort of driven by the document rather than the outcome of the document, like how the document looks. I’m just using as an example. Do you think that perhaps that absorbs some of your time as well? Of just— you said you had to be across everything and And do you think looking back on it, you focused on things in addition to your, you
Simon Hodgkinson [00:32:17]:
know, intense tasks that really you didn’t need to? Yeah, yeah, for sure. I had an amazing team of people, but I wanted to be involved. I am a techno— I love technology, right? And so, you know, there were lots of incidents and technical issues that I really didn’t need to get involved in, but I was fascinated by it and I was, I was keen to get— roll my sleeves up. And, and some of my best times were like sitting with the tech guys in on an incident bridge trying to figure out how we fix things. I actually really loved being the decision maker. So, you know, when we had very significant incidents, I loved to be part of that. It was almost like a hero culture. And back to, I didn’t think I had an ego, but I really did.
Simon Hodgkinson [00:32:59]:
You know, that made me feel important. So yeah, absolutely. No question. No question. And again, amplifying the 360-degree feedback. That, you know, I had a great team in place. When you get into those roles, you hire a good team, right? And then make sure you empower them
Karissa Breen [00:33:14]:
by not doing their job for them. You were the best person to make the decision at the end of the
Simon Hodgkinson [00:33:19]:
day that no one else could, perhaps in your absence? Yes, I probably did that quite a lot, and people could have made the decision, and in many respects they did make the decision. There was a little bit of me making sure that I gave people who work for me air So if I made the decision and the decision was wrong, that was down to me. If they made the decision, I didn’t want them to be exposed necessarily. So there was an element of that as well.
Karissa Breen [00:33:45]:
You mentioned before you had great support from BP. I know that other people that I speak to in this market right across the world do not. So what do you think they do then? Maybe they don’t have the support. Maybe, you know, their boss doesn’t really care at the end of the day, or it’s about the shareholders. Maybe you were lucky, you were lucky, but other people aren’t as lucky. So what would you sort of advise for people listening? They’re in this position, they’re like, well, I don’t really have any support going on.
Simon Hodgkinson [00:34:14]:
So I think a couple of things. I think back to, you know, when you go into those roles, make sure you’re clear with whoever’s hiring you, whatever company you’re applying for. Make sure they’re clear about your position and your red lines, how you work. So it’s not a one-way interview process. You’re interviewing them as well. You know, you want to make sure you work for the right organization that are going to allow you to do the things that are important to you. That takes a fair bit of maturity to do, but actually, if they respond well to that, you’re probably working for a decent organization. So I think that’s kind of one element that is important.
Simon Hodgkinson [00:34:50]:
And I think, well, then is being utterly transparent. I think some of the conversations I have with CISOs are are not want to expose some of the issues that exist in organizations. The job of the CISO, in fact, the job of anybody who manages risk, which is pretty much everybody in an organization, is to speak up and be clear about the risk position. Not in a, uh, the sky’s falling in way, but in a very balanced business narrative. It’s like, if you choose not to do this, This is the likelihood and the impact of something happening. And that’s your decision. But, you know, ultimately the CEO and the board are accountable for all the risk. Don’t try and hide things.
Simon Hodgkinson [00:35:37]:
Don’t try and cover gaps with sort of narrative that isn’t factual and to the point. Your job is to make sure that the organization is aware of the risk they’re taking. If that’s fine, if that’s within their risk appetite, well, like every other risk in a business, that’s okay. They’ve accepted it and move on. I see a lot of CISOs not wanting to do to do that because they see it as failure, but that will end up coming to bite you on the backside. So utter transparency and being clear about what your red lines— I would say
Karissa Breen [00:36:07]:
are two critical points. You mentioned before that now you’re more of a luxurious position, so you’re doing a lot of senior advising for companies like Sempris. But if you didn’t do the role before, do you think you’d be in the position you are in now? So is there some light at the
Simon Hodgkinson [00:36:22]:
end of channel or not really? Absolutely. I’m— the relationships that I had, then that’s given me access to, to do this role. And I think that’s why I end up speaking to a lot of people who are looking at career 2.0 now, as they’ve done big roles as CISOs and they see opportunities to, to do something different and not have that level of accountability necessarily. So yeah, absolutely, without that role role, you know, my prior role was a big role as well, running global infrastructure and ops. I’m sure that would have led me to, to potentially similar opportunities. And actually working— I just love working with Semperis, largely because they’re incredibly mature startup. You know, Mickey Bresman and the team are, um, you know, they have this mission of a force for good. They look out for this stuff.
Simon Hodgkinson [00:37:12]:
So it’s great to work with a company that sort of— I have aligned values on with that. But equally, you know, I had a lot of background in infrastructure and ops as well. So Semperis, Semperis often sits between security and infra. So it’s been ideal in that respect. I was talking to somebody last week over breakfast and they were talking about interim roles. And interim roles are interesting. I’ve been offered quite a few different interim roles, but I tend to think that what you end up doing, certainly I know my personality, if I went in for an interim role, I want to make a big difference in 6 months. So I’d probably work a damn sight harder just to make a difference.
Simon Hodgkinson [00:37:51]:
And therefore my own personal red lines say, sorry, even though the thing’s interesting, Simon, don’t put yourself in that position again. Interim roles as a CISO, I mean. And I’m very clear that I know myself more now, what I’ve learned about myself and what drives me. Me, I know if I did that, I would put myself back in the same position, if not worse than I was at BP. So I’m just not going to do it.
Karissa Breen [00:38:15]:
That’s my personal red line.
Simon Hodgkinson [00:38:16]:
So what drives you now? Desperately love work— I love working with tech. So I really enjoy working with the startup community. I love seeing these companies solving real business problems. There’s so many business problems out there and seeing them mature. So I’ve been with Semperis 5 years and seeing them go from sub-100 people to over 500. You know, they’ve got the biggest and the best marquee brands in the world as customers now. It’s just been an amazing to— a delight actually to see an organization that was a startup go through scale-up, etc. It’s fantastic.
Simon Hodgkinson [00:38:53]:
And, and, you know, I’m at the back end of my career now and I’ve got quite a lot of experience. So anything I can do to help those organizations be successful and see them grow is, is just amazing. Amazing. And it’s not easy, right? I mean, you know, I talked about the stress of the CISO, but you know, the stress for these companies going from zero to, to a scale-up organization, it comes with a lot of pain as well along the way. So a lot of pressure on, on selling and all of that. So it’s different stress and strain, but
Karissa Breen [00:39:23]:
still stress and strain nonetheless. And lastly, Simon, what would you like
Simon Hodgkinson [00:39:27]:
to leave our audience with today? Well, I’d really like to think— by sharing my own experience, it might help people frame a little bit about how they compartmentalize, how they get really clear about what’s important in life. And it’s not work. We talk about work-life balance. It should be life-work balance. The way we talk about it, the things that really count to your family and your friends, and making sure you prioritize that over work. And hence this notion of getting clear about what your red lines are and being clearer with your leadership. About what, you know, if you take the role, this is how I’m going to do it. These are the things I’m going to protect unless obviously if there’s a massive ransomware attack that sort of goes out the window.
Simon Hodgkinson [00:40:12]:
But in day-to-day operations, which includes loads of incidents all the time, this is the way I’m going to work. I’m going to prioritize my family. So really get clear on what’s important to you, what your red lines are, and be utterly transparent about that. That, as well as being trans— utterly transparent with your organization about the kind of risk posture
